Aujas Incident Management Deck Sept 2016

Get Ready to:

Detect, Respond & Recover

from a Cyber Attack

2

Copyright @2016 Aujas Information Risk Services

Typical Security IncidentOne Day at a Utilities Company

Customers calling

about slow network(Discovery of large

amounts of suspicious

traffic)

7:00 AM

Normal business

disrupted(Unknown malware

discovered. Wave of

DDOS attacks)

8:00AM

Attack on internal

systems. Data Breach.(Malware and DDOS was

just a distraction for

backdoor entry)

12:30 PM

Story in media as the

attacks continue and

spreads to partners.(Incident response team

still struggling to restore

services)

2:30 PM

All business operations

grinds to halt(Real-time applications

down. Remote employees

disconnected. Connection

to DB lost …)

5:00 PM

Every attempt to

recover - unsuccessful(Lack of a unified and

tested incident response

process is expensive)

7:00 PM

3


Design documents and source codes

of company’s flagship products have

been stolen.

Business partners can also be

impacted by the attack.

The organization’s reputation is in

jeopardy.

Clients and business partners are

angry and decide to terminate

contracts.

Law enforcement and regulators

start investigations.

Claims that cyber attackers are

taking down the organization are

spreading throughout media channels.

Sensitive client information is posted

to public domains.

Password list is stolen and made

public.

Production databases have been

deleted.

Internal communications and other

critical applications are down.

12-Hours Can Become Devastative

4


Best DefenseEarly Detection and Rapid Response !

Source: Verizon Data Breach Report

It just takes minutes to

compromise and steal data.

But it takes weeks to months to

discover and contain.

How can you reduce the

gap ?

5


IS-IM Governance

Creation of cross functional

teams, interaction models,

reporting and defining their

roles and responsibilities.

Use FrameworkGo for a framework based approach

IS-IM Policies &

Procedures

Policies and procedure for

operating IS-IM model.

Incident Database Knowledge base of response for

common scenarios based on

knowledge, as well as actual

incident learning.

Training & Awareness

Operation process training, create

awareness of applicable

organization policies, and do

simulations.

Emergency

Response Service

Coverage for emergency

response with specialization,

assistance and forensics.

.

Monitoring & Reporting

Reactive and proactive

monitoring services.

Technology Integration

Integration with event/log

correlation tools and threat

intelligence tools.

6


Incident MonitoringUpgrade SOC Competency

Internal Threat

Intelligence

Visualize assets based on criticality, and vulnerabilities to those assets.Threat intelligence feeds and SIEM alerts to take a risk based view on prioritization of risk mitigation. Adding reverse malware analysis and forensics as capabilities.

Go beyond reputation (IP/URLs) and focus on customization based on industry feeds, company URL and profile of people.Indicators of compromise based on reverse malware analysis for scanning, infection and information about zero day vulnerabilities.

Behavioral profiling for users and systems.Database searches and statistical modeling, reporting and visualization.

External Threat

IntelligenceStrength of

Analytics

Context and enrichment. Post correlation, joining the dots to see the attack chain.Visibility. Visualization to the state of security.

Situational

Awareness

7


Situational

Awareness

Ability to identify what is

happening in the network.

Weaponization

and Delivery

Transmission or Injection of

malicious payload into the

target.

Reconnaissance

Identification and selection

of the target/s host or

network by active scanning.Lateral Movement

Detect, exploit and

compromise other

vulnerable hosts.

Kill ChainMilitary Strategy: A model for stages of attack, and very valuable for prevention of attack.

Data Exfiltration

Steal and transfer data

outside.

Corporate Policy Violation

Do not comply with security

policy.

Persistency

Establish a foothold in the

corporate network.

8


Incident ResponseSOC 2.0 Operations – Incident response based on kill chain

Know your adversaries and their methods

Detect threat activity in kill chain

Disrupt the kill chain and stop the attack

Eradicate threat agent and remove the threat

Threat Intelligence

Security Operation

Incident Response

Response StrategyThreat Indicators

9


Advanced SOC

Strategy and Roadmap SIEM Optimization SOC GovernanceSOC Processes and

Workflows

1 2 3 4

• Maturity assessment across governance, operation, technology and integration and processes

• Strategy development from Current State and Future State

• Roadmap with milestone and financial budgeting

• Use Case Fine tuning and framework

• New use case creation

• Response run book

• Log source integration

• Reporting and visualization

• SOC Organization

• Roles and Responsibilities and RACI

• Performance indicator and management

• Skill Analysis, metrics & Training

• Roster management

• Incident Management –Monitoring, Validation, Analysis, Triage, Escalation, Response and Resolution

• Problem Management

• Forensics Process

• Device on-boarding

SOC Reporting and Analytics

SOC Operations

5

• SOC Advanced Reporting

• Visualization

• Analytical Reporting and Dashboards

L - 1Monitoring and

Validation

L - 2

Triage and Escalation

L – 3Response and Coordination

Security IntegrationVulnerability MgmtAsset ManagementIdentity Mgmt,Data Security

Incident /ticketing tool

Security Analytics & Incident Reporting

SIEM Architecture

SOC EngineeringRule Dev/TuningTool Integration

Device Mgmt

SIRT

Incident Handling

Forensic Handling

Security 2.0 Operations

Incident Monitoring

IOC Management

SIEM Rules and Use Case

Response Playbooks

Threat HuntingSimulations and Stress Test

6

Q&A Section

Q1. What is a Threat Pursuit team? How can it help?

Threat pursuit teams are critical component for next generation SOCs and their main job is to watch out for threats

proactively. It ideally consist of 1-2 people with “hunter” skills, defined as below:

This team is typically responsible for the following:

Review and analyze external threat intelligence feeds from industry, open source and security partners.

Evaluate emerging threats.

Internal proactive analysis of events, offenses and exploits.

Proactive risk mitigation and analysis of emerging threats relevant to the organization.

Operationalize threat detection and threat response based on intelligence feeds.

Research, create, modify use cases/rules.

Provide actionable to respective resolutions team.

Create hypothesis for hunts and hunt missions.

Test hypothesis and identify patterns.

Provide actionable inputs.

Q2. How do we know there is an attack? How important is SOC here?

There are 3 ways to know if you are already under attack.

1. By leveraging IoC tools like RSA ECAT which has large database of indicators of compromise and scans all end points to

look for those indicator of compromise.

2. By hunting for threats. This is possible by two mechanisms. One is to look for threat indicators either coming from threat

intelligence feeds or your hypothesis which is being tested and second method is behavior anomalies which might point

to compromise. Popular tools in these domains are cyber reason and SQRRL.

3. By using Kill Chain based SIEM rules which are chained to identify attacks in the cycle and identify.

All three models are considered as next generation SOC and SOCs do play a critical role in threat hunting and cyber security

attack detection. Once detected, then the work of containment and eradication is done by respective resolver groups from

systems, applications, network and database which typically form the CERT/ ISIRT teams.

Q3. How to make use of Threat Intelligence feeds to detect Cyber attacks pro-actively?

Threat intelligence is very valuable in preventing cyber attacks, and can be used both manually and in an automated

manner in an SOC.

A. Threat hunter can use the threat intelligence feed to view, validate and research the vulnerabilities, applicability of the

malwares, bad IPs, URLs and map to organization’s assets etc. to proactively protect the systems.

B. The automated process is via STIX/TAXII compliant ingestion and acting for auto blocking bad IP and URLs, file names

and checksums etc.

Q4. What are some of the best practices to track employee network behavior without

infringing on privacy? Example: social media activities.

There are policies to track user behavior which provide exceptions to monitor employee financial transactions and related

traffic. Some of the advanced threat hunting platforms can pull everything from network traffic, logs, authentication

information to full packet capture but they are useful in big data and machine learning scenarios to identify anomalies and not

really to look into details of individual transactions.

As far as forensics is concerned, private information is still obfuscated and only relevant information is searched that is

needed for data security breaches.

Q5. Can you share case details related to specific industries. E.g. BFSI, Telecom, Utilities, etc.

Given that we have worked with many popular companies in the various industries, we get to know of specific cases, but

would definitely not be sharing the details with others from a privacy perspective. Having said that, we can always share

industry best-practices, and can provide specific suggestions on case-specific basis. You can reach us at www.aujas.com

Q6. What to do in the case of Zero Day attack, when the patch is yet to be made available?

All attacks follow the incident lifecycle of detection, validation, containment and eradication. In case of zero day attack, if

detected via threat intelligence/ behavior analysis, and the patch is yet to be made available, than you should figure out

complementary and monitoring controls.

For example, if you see a zero day attack for SSL connection and you do not have any patch and you cannot stop SSL as

that is the primary source of connection but there is a risk of getting sniffed then you start monitoring connection for anomaly

by SSL offloading and full packet inspection and in case you do not have that capability, then you just monitor packet size as

normal HTTP request and response size is 4 to 5KB and it meets that criteria.

SOC Organization Structure Template (Ideal Scenario)

1. One SOC Manager

2. Three L3 resources, one specializing in Network, Second in OS and third in Applications for expertise and quick triage

and validation.

3. Three L3 resources with experience in OS, Web App and Network security and each resource to have additional

knowledge and experience in Steal watch, DLP, DRM, DAM and Firewall/ IPS.

4. Eight L1 resources with combination of skills in Network, OS and Application knowledge.

5. Two SIEM administrators; one specializing in customization of connectors and use case configurations while the other

will perform day to day operations like user and group management, reporting and dashboards.

6. One Threat Analyst/ Hunter.

Q7. What is the mix of skill-sets required for an ideal SOC?

One should have a good mix of monitoring, triage, incident response, threat hunter, SIEM administrator and a forensic expert

in the SOC.

If possible, you should cross train few people to hold multiple responsibilities. A SOC Manager to manage skill inventory,

roster, and career progression is recommended.

Defined Cyber Risk Governance – Governance framework is vital for managing cyber risks, it is important to establish

various teams with clear roles and responsibilities along with integrations with other teams like Business Continuity, Disaster

Recovery and Crisis Management.

Understand Organization Cyber Landscape – Organization should understand cyber vulnerabilities for multiple locations

where data is stored, transmitted or accessed by various stakeholders (internal employees, partners, clients etc.).

Identify Critical Processes and Assets – Identify most critical revenue generating “Organization unit”, processes and

assets. Understand where they are located and how they are accessed and by whom.

Identify Cyber Threats – Analyze and consolidate the applicable cyber threats which the organization wants to manage.

Robust threat-analysis capability to be established based on internal and external sources.

Plan & Respond – Clear and defined procedures in form of playbook aids in effective cyber risk management. These

procedures needs to clearly define the incident lifecycle, teams to be involved with their roles & responsibility, escalation

mechanism and time to resolve/escalate. Monitoring team should effectively identify, analyze and report the cyber incidents

to the respective team for their action and responses.

Q8. What specific steps you recommend for BFSI to minimize cyber risk?

Define Cyber Risk

Governance

Understand Organization

Cyber Landscape

Identify Critical

Processes and Assets

Identify Cyber Threats

Plan & Respond

Contact [email protected]

Visit us @ www.aujas.com

Aujas

Information Risk Management

We help organizations manage information security risks by protecting data, software, people and identities in line with compliance requirements and best practices; we also help strengthen security governance and intelligence frameworks.

Global Delivery

Model

Lifecycle Services

Approach

Accelerators for

Customers

Strong Project

Management

Investors: IDG,

IvyCap, RVCF

Professionals

38022

Countries

400Customers

www.aujas.com

Security Analytics &

Visualization Platform

Security Portfolio

Risk Advisory

Identity & Access

Threat

Management

Security Intel & Ops

Digital Security

Vulnerability Intel

Co-Managed

Security

Vendor Risk

Data Protection

Services

Platform as a Service

(PaaS)

US. UAE. India | www.aujas.com Copyright @2016 Aujas Information Risk Services

Functional Practices

Aujas Incident Management Deck Sept 2016

Documents

Transcript of Aujas Incident Management Deck Sept 2016